Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
0
Helpful
1
Replies

Remote Access VPN + l2tp + ipsec gre

AZaburdyayev
Level 1
Level 1

‎08-10-2011 07:49 AM - edited ‎02-21-2020 05:30 PM

Good day All.

Have troubles with multiple tunnels.

I have following application:

My topology is hub and spoke. On hub router I configures RA-VPN, l2tp and GRE tunnel with ipsec.

My remote peer is behind NAT. I cannot make it work. It connects to hub router, but after some time connectivity disappear. sh isakmp sa shows, that remote peer exits and connection should be active. I do not understand why it works that way. Please help.

Hub router.

crypto keyring TestKeyR

  pre-shared-key address 0.0.0.0 0.0.0.0 key ckey1

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 11

encr 3des

group 2

!

crypto isakmp policy 12

encr aes 256

authentication pre-share

group 2

crypto isakmp key ckey2 address EXT_STATIC_PEER_IP no-xauth

crypto isakmp keepalive 90 3

!

crypto isakmp client configuration group VPN

key RaccKey

pool pl_vpn

acl acl_VPNSel

pfs

netmask 255.255.255.240

!

crypto isakmp peer address EXT_STATIC_PEER_IP

description ATA_VOICE_RTR

crypto isakmp profile cp_RemVPN

   match identity group VPN

   client authentication list vpn_xauth

   isakmp authorization list vpn_grp

   client configuration address initiate

   client configuration address respond

   client configuration group VPN

crypto isakmp profile l2prof

   keyring TestKeyR

   match identity address 0.0.0.0

   keepalive 90 retry 3

!

!

crypto ipsec transform-set ts_vpn esp-aes esp-md5-hmac

crypto ipsec transform-set ts_VOIP esp-des esp-md5-hmac

crypto ipsec transform-set ts_YVOIP esp-3des

mode transport

crypto ipsec transform-set ts_BVOIP esp-3des esp-md5-hmac

!

crypto ipsec profile cpVOICE

set transform-set ts_BVOIP

!

!

crypto dynamic-map dm_AccVPN 10

set transform-set ts_YVOIP

set isakmp-profile l2prof

match address 114

crypto dynamic-map dm_AccVPN 1000

set transform-set ts_vpn

set isakmp-profile cp_RemVPN

!

!

crypto map cm_vpns 10 ipsec-isakmp

set peer EXT_STATIC_PEER_IP

set security-association lifetime seconds 86400

set transform-set ts_VOIP

match address acl_ATA_VOIP

crypto map cm_vpns 1000 ipsec-isakmp dynamic dm_AccVPN

!

!

crypto key pubkey-chain rsa

addressed-key EXT_STATIC_PEER_IP

  address EXT_STATIC_PEER_IP

  key-string

   307C300D

  quit

!

!

!

interface Tunnel2

ip address 192.168.252.1 255.255.255.252

tunnel source EXT_IP

tunnel destination EXT_STATIC_PEER_IP

tunnel mode ipsec ipv4

tunnel protection ipsec profile cpVOICE

!

interface FastEthernet0/0

description to_Telecom

no ip address

no ip redirects

no ip proxy-arp

speed auto

full-duplex

no cdp enable

no mop enabled

!

interface FastEthernet0/0.34

encapsulation dot1Q 34

ip address 172.16.34.1 255.255.255.252

no ip redirects

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1

description to_local_25

no ip address

no ip redirects

no ip proxy-arp

duplex auto

speed auto

auto qos voip

no cdp enable

no mop enabled

!

interface FastEthernet0/1.7

description tunnel_to_3745

encapsulation dot1Q 7

ip address EXT_IP 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no cdp enable

crypto map cm_vpns

!

interface FastEthernet0/1.8

encapsulation dot1Q 8

ip address 192.168.8.4 255.255.255.128

no ip redirects

no ip proxy-arp

no cdp enable

!

ip local pool lp_DialIN 172.16.12.0 172.16.12.31

ip local pool pl_vpn 192.168.7.2 192.168.7.6

!

ip nat inside source route-map rm_nonat interface FastEthernet0/1.7 overload

!

ip access-list extended acl_VPNSel

permit ip 172.16.31.0 0.0.0.63 192.168.7.0 0.0.0.15

permit ip 172.16.32.0 0.0.0.63 192.168.7.0 0.0.0.15

permit ip 172.16.34.12 0.0.0.3 192.168.7.0 0.0.0.15

!

access-list 105 deny   ip 172.16.31.0 0.0.0.63 192.168.7.0 0.0.0.15

access-list 105 deny   ip 172.16.31.0 0.0.0.63 192.168.253.0 0.0.0.255

access-list 105 deny   ip 172.16.31.0 0.0.0.63 192.168.251.0 0.0.0.255

access-list 105 permit ip 172.16.31.0 0.0.0.63 any

access-list 106 deny   ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

access-list 106 deny   ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

access-list 106 deny   ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255

access-list 106 deny   ip 95.59.136.208 0.0.0.7 192.168.7.0 0.0.0.255

access-list 106 permit ip 172.16.31.0 0.0.0.63 any

access-list 112 permit ip host 192.168.252.1 host 192.168.252.2

access-list 112 permit ip 192.168.253.8 0.0.0.7 host 192.168.252.2

access-list 112 permit ip 192.168.253.8 0.0.0.7 192.168.253.0 0.0.0.7

access-list 112 permit ip host 192.168.168.69 host 192.168.252.2

access-list 114 permit ip 172.16.31.0 0.0.0.255 172.16.34.12 0.0.0.3

access-list 114 permit ip 192.168.7.0 0.0.0.7 172.16.34.12 0.0.0.3

access-list 114 permit ip 192.168.8.0 0.0.0.255 172.16.34.12 0.0.0.3

access-list 114 permit ip 192.168.251.0 0.0.0.255 172.16.34.12 0.0.0.3

!

!

!

route-map rm_nonat permit 10

match ip address 106

!

!

end

Spoke router config:

service timestamps debug datetime msec

aaa new-model

aaa local authentication attempts max-fail 3

!

!

aaa authentication login default local

!

aaa session-id common

clock timezone AST 6

network-clock-participate slot 1

no network-clock-participate wic 0

network-clock-select 1 E1 1/0

voice-card 1

!

ip cef

!

!

!

!

no ip bootp server

ip domain name ytel.kz

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip sla monitor 1

type echo protocol ipIcmpEcho 192.168.251.3 source-ipaddr 172.16.34.13

timeout 100

frequency 300

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 192.168.8.4 source-interface FastEthernet0/1

timeout 1000

threshold 10

frequency 300

ip sla monitor schedule 2 life forever start-time now

!

!

!

ip ssh source-interface FastEthernet0/1

ip ssh version 2

!

translation-rule 1

!

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key y6x8dte5ny1f address HUB_EXT_IP

crypto isakmp keepalive 90 3 periodic

crypto isakmp nat keepalive 90

!

!

crypto ipsec transform-set ts_YVOIP esp-3des

mode transport

crypto ipsec transform-set ts_test esp-3des esp-sha-hmac

mode transport

!

crypto map cm_Ytel 10 ipsec-isakmp

set peer HUB_EXT_IP

set transform-set ts_YVOIP

match address 114

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.7 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map cm_Ytel

!

interface FastEthernet0/1

ip address 172.16.34.13 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

speed 10

full-duplex

no cdp enable

no mop enabled

h323-gateway voip interface

h323-gateway voip bind srcaddr 172.16.34.13

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 172.16.34.14 23 172.16.34.13 3344 extendable

!

access-list 114 permit ip 172.16.34.12 0.0.0.3 172.16.31.0 0.0.0.255

access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.7.0 0.0.0.7

access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.8.0 0.0.0.255

access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.251.0 0.0.0.255

Labels:
0 Helpful
1 Reply 1

AZaburdyayev
Level 1
Level 1

‎08-14-2011 09:54 PM

Currently both peers cannot authentificate each other. I cannot findout where is problem. Here debug:

Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 500 peer_port 500 (I) MM_SA_SETUP

Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Aug 15 04:49:02.443: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_SA_SETUP

Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0

Aug 15 04:49:03.052: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0

Aug 15 04:49:03.052: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 92.46.125.222

Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1):SKEYID state generated

Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1): processing vendor id payload

Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1): vendor ID is Unity

Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): processing vendor id payload

Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): vendor ID is DPD

Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): processing vendor id payload

Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): speaking to another IOS box!

Aug 15 04:49:03.060: ISAKMP (0:134217729): NAT found, the node inside NAT

Aug 15 04:49:03.064: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Aug 15 04:49:03.064: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):Send initial contact

Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Aug 15 04:49:03.068: ISAKMP (0:134217729): ID payload

        next-payload : 8

        type         : 1

        address      : 192.168.1.7

        protocol     : 17

        port         : 0

        length       : 12

Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):Total payload length: 12

Aug 15 04:49:03.072: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Aug 15 04:49:03.076: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Aug 15 04:49:03.076: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Aug 15 04:49:12.444: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 15 04:49:12.444: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.

Aug 15 04:49:12.444: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1

Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Aug 15 04:49:12.944: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Aug 15 04:49:13.590: ISAKMP: received ke message (1/1)

Aug 15 04:49:13.590: ISAKMP: set new node 0 to QM_IDLE

Aug 15 04:49:13.594: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)....

Aug 15 04:49:22.440: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 15 04:49:22.444: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.

Aug 15 04:49:22.444: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1

Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Aug 15 04:49:22.945: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH.

Aug 15 04:49:31.696: ISAKMP: received ke message (1/1)

Aug 15 04:49:31.696: ISAKMP: set new node 0 to QM_IDLE

Aug 15 04:49:31.696: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)

Aug 15 04:49:32.441: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 15 04:49:32.441: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.

Aug 15 04:49:32.445: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1

Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Aug 15 04:49:32.946: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Aug 15 04:49:42.441: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 15 04:49:42.441: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.

Aug 15 04:49:42.441: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1

Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Aug 15 04:49:42.942: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Aug 15 04:49:43.591: ISAKMP: received ke message (1/1)

Aug 15 04:49:43.591: ISAKMP: set new node 0 to QM_IDLE

Aug 15 04:49:43.591: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)

Aug 15 04:49:52.438: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH

Aug 15 04:49:52.442: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.

Aug 15 04:49:52.442: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1

Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Aug 15 04:49:52.943: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Aug 15 04:50:01.697: ISAKMP: received ke message (3/1)

Aug 15 04:50:01.697: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

Aug 15 04:50:01.697: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 92.46.125.222)

Aug 15 04:50:01.701: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 92.46.125.222)

Aug 15 04:50:01.701: ISAKMP: Unlocking IKE struct 0x850CE18C for isadb_mark_sa_deleted(), count 0

Aug 15 04:50:01.701: ISAKMP: Deleting peer node by peer_reap for 92.46.125.222: 850CE18C

Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -1020871609 error FALSE reason "IKE deleted"

Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node 1916440234 error FALSE reason "IKE deleted"

Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -161909214 error FALSE reason "IKE deleted"

Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -125886963 error FALSE reason "IKE deleted"

Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

0 Helpful
Customers Also Viewed These Support Documents